Rapid7 Blog

Patch Tuesday - October 2017

POST STATS:

SHARE

This is a relatively light month in terms of severity, but with over 60 vulnerabilities being fixed, there's still plenty of patching to be done.

Of note this month are the various Security Advisories Microsoft has published. ADV170012 calls out a weak key generation vulnerability in certain Trusted Platform Module (TPM) chips from Infineon, which provide security-related functionality via dedicated hardware. TPMs offer advantages by providing cryptographic key management in a tamper-resistant manner, but this vulnerability illustrates the headaches that can result when something goes wrong with them. Any complete fix will require a firmware update obtained from the hardware manufacturer (HP and Fujitsu systems are known to be affected), as well as potentially reconfiguring any services that make use of keys generated by the TPM. This can be an involved process, but in the meantime Microsoft has issued OS updates that can help customers determine whether they're vulnerable and prevent the TPM hardware from generating weak keys. Administrators should carefully review ADV170012 to determine the course of action most appropriate to their organization. Note that TPMs tend to be more prevalent on client devices than on server systems.

Two other advisories, ADV170016 and ADV170017, provide "defense in depth" changes for Server 2008 and Microsoft Office respectively. While these don't remediate specific vulnerabilities, they may mitigate certain classes of attack. Hard to say exactly what, as Microsoft simply states they provide "enhanced security." The fourth advisory, ADV170014, is an optional enhancement to the NT LAN Manager (NTLM) that can help mitigate dictionary attacks by denying NTLM single sign-on as an authentication method for resources marked as public or external.

Regarding the actual CVEs being addressed this month, three are marked as publicly disclosed, with one (CVE-2017-11826, a memory corruption vulnerability in Office and Sharepoint Server) known to be exploited in the wild. A slight departure from what we've seen in recent months, the number of OS-level vulnerabilities is on par with the number of browser-related issues being fixed. These include some classic vectors such as the Windows font library (CVE-2017-11762 and CVE-2017-11763 and Windows Search (CVE-2017-11771). CVE-2017-11779 is a vulnerability in the DNS API, whereby a DNS server could send a corrupted response to the target leading to remote code execution. This may sound quite bad at first, but due to the way recursive DNS works, exploitation of this against most client systems would also require a man-in-the-middle attack. That being said, all it takes is one slip-up for an attacker to find a foothold into your network, so as usual the advice is to apply any relevant updates as soon as possible.